On Monday the Consumer Financial Protection Bureau (CFPB) took action against Xerox Business Services, LLC, now called Conduent Business Services, for software errors that led to incorrect consumer information about more than one million borrowers being sent to credit reporting agencies. The Bureau says that company also failed to notify all of its auto lender clients about known flaws in its software that led to the errors. The consent order requires Xerox to pay a $1.1 million civil penalty, explain its mistakes to its lender clients, and fix its faulty software.

According to the CFPB announcement,

Xerox Business Services, based in Dallas, Texas, operated and customized a third-party software application for five auto lenders. The software automatically generated and transmitted information about borrowers’ auto loans to consumer reporting agencies. Lenders use information furnished to the consumer reporting agencies when considering whether to issue a loan and on what terms, so it is essential the information is accurate. Mistakes on credit reports like those caused by Xerox can lead to consumers being denied credit, or not qualifying for lower interest rates or other favorable credit terms. Errors on credit reports can also impact a consumer’s ability to qualify for employment, insurance, and rental opportunities.

Widespread defects in the loan-servicing software that Xerox used led lenders to report inaccurate information about consumers’ performance on their loans. In 2016, its reports for more than one million of the auto lenders’ 6.4 million customer accounts had one or more errors. Xerox had acquired the rights to this software from its creator, an independent software developer. When lenders asked for certain features, Xerox would modify the software’s source code. Between 2004 and 2010, one modification was supposed to enable three of Xerox’s clients to provide consumer data in the Metro 2 Format. Metro 2 is the standard industry format used for furnishing this information in a uniform way to credit reporting agencies. However, Xerox’s modifications were based on a flawed, unreleased version of Metro 2 source code that led to the reporting of incorrect consumer information. This violated the Dodd-Frank Wall Street Reform and Consumer Protection Act.

According to the consent order, Xerox:

Provided flawed software that led to incorrect information being sent to credit reporting companies: Xerox’s use of flawed, unreleased loan-servicing software resulted in the transmission of inaccurate and incomplete information to credit reporting agencies. Missing or incorrect information included the date of borrowers’ first delinquent payment; actual payment amounts; scheduled monthly payment amount; amount past due; amount charged to loss when a loan is charged-off; account status, and other payment and account information.

Failed to inform lenders about defects in its software: Xerox did not notify all of its client lenders about the errors even after learning that the software it used resulted in the transmission of inaccurate information. Xerox’s clients told the company about faulty data being sent to credit reporting agencies, and ordered it to fix specific errors. But Xerox did not notify its other lender clients about the problems. Xerox also failed to pass along information it learned from the software’s developer about upgrades needed to prevent mistakes. As a result, for years Xerox’s clients persisted in transmitting inaccurate and incomplete information about borrowers and their accounts to the credit reporting agencies.

Enforcement action

Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB is authorized to take action against institutions engaged in unfair, deceptive, or abusive acts or practices, or that otherwise violate federal consumer financial laws.

Under today’s consent order, Xerox must:

Explain the errors to its clients, and act to prevent future mistakes: Xerox has to describe the errors caused by its flawed software to its client auto lenders, inform lenders of any future potential or actual errors within 30 days of its discovery, and explain the correct use of the software to its clients each time the coding is revised.

Give the CFPB a compliance plan: Xerox must give the CFPB a plan showing that it will identify and fix all defects in its software, and ensure that the software will report accurate information to credit reporting agencies.

Pay a $1.1 million penalty: Xerox must pay a penalty of $1.1 million to the CFPB Civil Penalty Fund.

Why is this relevant to the ARM industry? As in most markets, creditors and debt collectors – whose actions could pose risk to consumers if not executed correctly -- depend heavily on vendor-provided/maintained software to run their business.

Everyone makes mistakes. We see these examples in the news every day. As in this Xerox case, it’s typically not the original mistake that causes the greatest consequences; it’s the delay in discovery of the problem, or the delay in reporting the problem, or confusion related to reacting to the problem.

Any service provider ought to consider reviewing two things:

Their change management policy; a robust process should help to prevent a variety of mistakes in the first place.

Their disaster recovery policy, which would dictate how a firm would deal with discovery of a software glitch, just as it contemplates how to manage a breach, or how to deal with a natural disaster.